IN THE SPECIFICATION 

Please replace the paragraph beginning at page 13, line 6, with: 

Fig. 3 is a block diagram of a workgroup switch 22, in accordance with an embodiment of 
the present invention. Switch 22 comprises a plurality of ports 30 which lead to computers 26 or to 
other network elements (e.g., switches, routers, firewalls), via links 28 (Fig. + 2). A hardware unit 
32 forwards data frames between ports 30 as is known in the art. In accordance with some 
embodiments of the invention, hardware unit 32 performs policy enforcement on at least some of 
the frames on which it performs layer-2 switching. 

Please replace the paragraph beginning at page 16, line 15, with: 

If frame 40 is allowed to be forwarded according to the security rules, processor 34 optionally 
determines (80), based on predetermined rules, the policy with which the frame is to be forwarded, 
such as the quality of service (QoS) of the frame, and/or whether the frame should undergo sniffing 
and/or counting. If (82) the determined policy is default, e.g., the frame is forwarded with the QoS 
tagged to the frame and no sniffing and/or counting are required, the frame is forwarded (84) without 
further actions. Otherwise, a respective entry is created (S6 88) in table 36 so that following frames 
of the same session will be forwarded by hardware unit 32 in accordance with the proper policy. By 
not creating entries for TCP sessions which have default QoS policy, the number of entries in table 
36 is substantially reduced. 

Please replace the paragraph beginning at page 18, line 7, with: 

Alternatively or additionally, hardware unit 32 checks whether the packet was received from 
a port 30 connected directly to a computer 26, before it determines (72) the protocol to which the 
frame belongs, such that substantially all frames not received directly from a computer 26 are 
forwarded without consulting table 36. Further alternatively or additionally, entries in table 36 are 
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created (86 88) only for sessions which include frames which are received from ports directly 
connected to end-stations 26. 
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